I'm still wondering if
a. Removing system:anyuser from ACLs will prevent this privilege escalation
b. Removing system:anyuser from ACLs except "system:anyuser l" will
prevent the privilege escalation (i.e. the only occurrence of
system:anyuser is with l permission)
Any definitive conclusions?
Thanks!
Kim
Kim Kimball wrote:
> Yes, but I thought this depended on a file in the cache that had been
> retrieved over an unauthenticated connection.
>> Lookup won't put a file in the cache.
>>> Jeffrey Altman wrote:
>> Kim Kimball wrote:
>>>>> If I abandon use of system:anyuser, except for lookup, does that get
>>> the
>>> job done?
>>>>>> It seems to me that this forces all connections capable of fetching
>>> data
>>> to be authenticated. If I'm reading the alert correctly, this would
>>> prevent FetchStatus exploit?
>>>>>> Kim
>>>>>>> Lookup is performed via FetchStatus
>>>> Jeffrey Altman
>>>>>>